A few weeks ago, Kristen Faughnan got something that surprised her: a "low balance" text message from her bank. That didn't make sense. She'd just paid for a haircut, but she knew how much was in her account. Even after paying her stylist, it was much more than the level at which the bank would tell her she was almost out of funds.
"I logged onto my bank account to find two recent charges from Groupon," she says. They were from a cologne store in Texas. Faughnan lives in Pennsylvania.
Faughnan was most likely victim of a costly form of cybercrime: a fake user taking over her account. Fake users spam real users that are part of a site, steal confidential information or, as in the case with Faughnan, take over an account (the fraudulent purchases were made through a credit card she had stored in the site -- a credit card that had expired, which added another piece to the puzzle).
The fakers are costing companies users – and money.
The faux use problem
According to “The Fraud Report: How Fake Users are Impacting Business,” [PDF] a study released by TeleSign, a mobile identity solutions company, and the Ponemon Institute, a research institute, 82 percent of companies struggle with fake users.
They surveyed 584 U.S. and 414 U.K. individuals who are involved in the registration, use or management of user accounts. Average value of user base of the respondents: $117 million. That's a lot of big targets for hackers to go after.
"You see [this kind of fraud] across pretty much any Web or mobile application that has a user base," says Ryan Disraeli, co-founder and vice president of Telesign, "Anywhere you need a login with an account, we're seeing issues with fake users."
And they're doing, well, everything. According to the study, 30 percent of fake users are there to spam real site users. Twenty-seven percent want to steal confidential information; 14 percent are after social engineering, 10 percent want information for phishing, six percent are hoping to take over an account, four percent want to create both chaos and disruption and credit card fraud, and three percent want to create fake reviews.
"Once they get in, they're in, virtually walking around and discovering lots of new interesting and cool stuff that they can get their claws into," says Joe Schorr, director of advanced security solutions at Bomgar. "They can pretty much take whatever they want once they're inside."
Companies aren't helping
Even though so many companies have a problem with fake users, they're not exactly putting up a fortress around their real user base. According to the study, 43 percent of companies say that they allow them into their site to avoid friction in the user registration process. The reasons for that are wide, too: 58 percent of users cite convenience as the reason; 52 percent say cost efficiency and 42 percent say ease of use. An organization's authentication strategy with security comes in fourth at 21 percent.
Typically, this happens because companies prioritize the size of the user base – typically at the behest of marketing – over security. In terms of sheer numbers, whether the user is fake or not doesn't matter.
[Related: The year in fraud: 2015 in 13 numbers]
"They want to put a stake in the ground and claim a huge amount of users," says Disraeli. "At the same time, they're letting everyone in, and that has an economic impact."
Researchers found that impact came to about $4 million per company that responded to the survey. That's the average amount they spent responding to spam or fraud committed by fake users. They also lost an average of four percent of business partners and nine percent of legitimate users – which happened with Faughnan.
"I removed all of my credit card information from their site because I don't consider it safe," she says of Groupon. "I don't plan to buy anything from them again."
Balancing the numbers
Schorr of Bomgar says that stopping fake users from getting into a company's system isn't necessarily that difficult. It's just a matter of priorities.
"I don't think hackers are that good," he says. They're looking to jump over the lowest hurdle, and making them take one more step to creating an account can push them towards another company that who bother to set up the hurdle on the track.
"They bump up against something and they pull back," he says. "They keep going until they find something or someone or somewhere they can get in." That could be through your low-security barriers, or through a third-party vendor who's in your space and doesn't pay as much attention to security as you do. Securing your fences and theirs, he says, is crucial.
Disraeli stresses the importance of the CIO going to bat against marketing if they're the ones pushing for a lower barrier of entry to become a user. "The purpose of the study is to arm CIOs and decision makers with the value of a clean user base," he says.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.